Australia's Leading Computer Emergency Response Team

Banner Ad Malware
Date: 13 November 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8360


We received a report Tuesday night that www.whitepages.com.au was serving malicious software. It is important to understand that the malware was not actually on the WhitePages website but being served through the banner ads.

It was later reported that it affected all the Sensis pages which included:
Yellowpages.com.au
Whitepages.com.au
Sensis.com.au
Whereis.com
Citysearch.com.au
Tradingpost.com.au
Linkme.com.au
Gostay.com.au
Invizage.com.au
Justlisted.com.au
Universalpublishers.com.au

Sensis acted swiftly to remove the sabotaged banner advertisement that was running on the popular Sensis sites and then followed up with further work to ensure the original ad was not accessible anywhere online.

The path to the malicious software goes as follows:

From the Sensis page you'll get a banner from an address similar to
h**p :// medrx,sensis,com,au /content/SkyAuction/106804/skyauction_728x90.swf
Which redirects to
h**p :// blessedads,com /?cmpid=ski11tip
which redirects to
h**p :// prevedmarketing,com /?tmn=mwatmp&aid=ski11tip&lid=keyin_ao_4682_2797_2358_ao_&ax=1&ed=2&mt_info=4682_2797_2358
which then redirects to
h**p :// scanner2,malware-scan,com /8_swp/?tmn=mwatmp&aid=ski11tip&lid=keyin_ao_4682_2797_2358_ao__ao_3958_0_10230_ao_&ax=1&ed=2&mt_info=4682_2797_2358&tmn=null
which then redirects to
h**p :// scanner2,malware-scan,com /8_swp/8.php?tmn=mwatmp&aid=ski11tip&lid=keyin_ao_4682_2797_2358_ao__ao_3958_0_10230_ao_&ax=1&ed=2&mt_info=4682_2797_2358&tmn=null

And finally, this page serves Javascript code which attempts to execute a file using an instantiated ActiveX object. Two things are required for this to occur - the computer's operating system needs to be Windows XP Service Pack 2 and browser Internet Explorer. If the browser is IE but the OS is not at XPSP2 then it prompts the user to open the file. If the browser is not IE it also prompts the user to open the file.

Please check your logs for any activity to any of the following domains as the machines are likely to be infected with malware.

blessedads,com
prevedmarketing,com
malware-scan,com

Also, you may wish to consider setting the kill bit on the following CLSID as it is the ActiveX control that is used to silently execute the file.
6BF52A52-394A-11D3-B153-00C04F79FAA6

To see how to set the killbit please check out the Microsoft website http://support.microsoft.com/kb/240797

Hopefully we can get more information to you soon on the actual purpose of the malware.

Regards,

Zane